Joshua Schaeffer wrote:
Hey all,
I've been using OpenLDAP and Kerberos for central authentication for a while now, but I have a couple programs that can't use GSSAPI directly and I want to setup SASL pass-through authentication to allow those services to use my Kerberos passwords, but I'm having trouble getting saslauthd to work correctly.
I can authentication as myself using GSSAPI without any issue:
jschaeffer@zipmaster07 ~/Downloads $ ldapwhoami SASL/GSSAPI authentication started SASL username: jschaeffer@HARMONYWAVE.COM SASL SSF: 56 SASL data security layer installed. dn:uid=jschaeffer,ou=end users,ou=people,dc=harmonywave,dc=com
But whenever I run the testsaslauthd command I can't get a successful authentication:
root@baneling:~# testsaslauthd -u jschaeffer@HARMONYWAVE.COM -p <password> 0: NO "authentication failed"
When I debug the saslauthd daemon all i get is this:
root@baneling:~# saslauthd -a kerberos5 -m /var/run/saslauthd -n 5 -d saslauthd[1121] :main : num_procs : 5 saslauthd[1121] :main : mech_option: NULL saslauthd[1121] :main : run_path : /var/run/saslauthd saslauthd[1121] :main : auth_mech : kerberos5 saslauthd[1121] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[1121] :detach_tty : master pid is: 0 saslauthd[1121] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[1121] :main : using process model saslauthd[1121] :have_baby : forked child: 1122 saslauthd[1122] :get_accept_lock : acquired accept lock saslauthd[1121] :have_baby : forked child: 1123 saslauthd[1121] :have_baby : forked child: 1124 saslauthd[1121] :have_baby : forked child: 1125 saslauthd[1122] :rel_accept_lock : released accept lock saslauthd[1124] :get_accept_lock : acquired accept lock saslauthd[1122] :do_auth : auth failure: [user=jschaeffer@HARMONYWAVE.COM] [service=imap] [realm=] [mech=kerberos5] [reason=saslauthd internal error]
Kinda at a loss at what else I should look at. Any tips would be appreciated.
Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail.
Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail.
I saw that, but couldn't figure out how to change the service directly (Nothing in saslauthd(8) says anything about service). I'm assuming that "imap" is the default when using testsaslauthd. I could get it to change when I try a simple bind, but that doesn't change the result, I still get an error, and I do have a ldap service in my KDC. I also do have {SASL}jschaeffer@HARMONYWAVE.COM set as my userPassword.
root@baneling:~# ldapsearch -LLL -x -D "uid=jschaeffer,ou=End Users,ou=People,dc=harmonywave,dc=com" -W -b "" Enter LDAP Password: ldap_bind: Invalid credentials (49)
saslauthd[1479] :do_auth : auth failure: [user=jschaeffer] [service=ldap] [realm=HARMONYWAVE.COM] [mech=kerberos5] [reason=saslauthd internal error]
kadmin: listprincs ... ldap/baneling.harmonywave.com@HARMONYWAVE.COM ...
Thanks, Joshua Schaeffer
On 09/17/2016 02:41 PM, Joshua Schaeffer wrote:
Your testsaslauthd is trying to use the imap service. If you don't have an imap service in your KDC, then of course it will fail.
I saw that, but couldn't figure out how to change the service directly (Nothing in saslauthd(8) says anything about service). I'm assuming that "imap" is the default
Oh daah.. it's in man testsaslauthd(8) that explains about the service name. I'll play around with that, but as I showed, I couldn't get it to work with the "ldap" service either and I do have one of those.
openldap-technical@openldap.org
-
Howard Chu -
Joshua Schaeffer